This invention pertains to the field of preventing malicious attacks to computers, and, in particular, attacks by computer worms.
As used herein, “malicious computer code” is any set of computer instructions that enters a computer without an authorized user's knowledge and/or without an authorized user's consent. Malicious computer code that propagates from one computer to another over a network, e.g., the Internet, is often referred to as a “worm.”
Network based intrusion detection systems have been constructed that examine inbound and outbound network packets that are entering and leaving a host computer. Such systems scan the contents of these packets to look for strings containing known malicious code. Some of these systems are capable of reconstructing a stream of data out of the packet fragments. However, the string data that is representative of malicious code is historical string data. The present invention goes beyond such systems in providing string data that is generated on a real time (runtime) basis, thus providing a truly dynamic malicious code detection system. This invention also is capable of filtering outgoing traffic on the packet level as well as on the stream level.